Since upgrading to foreman 0.3 I've been having problems getting
puppetca + smart proxy to work. Prior to 0.3, everything was working
pretty smooth, so I'm not sure what I hosed. Here's something that
sticks out to me in the smart-proxy log (/tmp/proxy.log)
Failed to list certificates: Unable to find CA inventory file at /var/
lib/puppet/ssl/ca/inventory.txt
This file does exist and I do see all of my clients listed in the
file. In the meantime, I turned off SSL for my smart-proxy just to
reduce any 'extra complexity'.
> Since upgrading to foreman 0.3 I've been having problems getting
> puppetca + smart proxy to work. Prior to 0.3, everything was working
> pretty smooth, so I'm not sure what I hosed. Here's something that
> sticks out to me in the smart-proxy log (/tmp/proxy.log)
>
> Failed to list certificates: Unable to find CA inventory file at /var/
> lib/puppet/ssl/ca/inventory.txt
>
Permissions? try adding the user which runs the proxy to the puppet group.
···
On Fri, Jun 10, 2011 at 6:47 AM, Luke Baker wrote:
This file does exist and I do see all of my clients listed in the
file. In the meantime, I turned off SSL for my smart-proxy just to
reduce any ‘extra complexity’.
Turns out I had duplicate certificate that was signed for my puppet
master. Once I removed that cert things were good.
···
On Jun 10, 1:00 am, Ohad Levy wrote:
> On Fri, Jun 10, 2011 at 6:47 AM, Luke Baker wrote:
> > Since upgrading to foreman 0.3 I've been having problems getting
> > puppetca + smart proxy to work. Prior to 0.3, everything was working
> > pretty smooth, so I'm not sure what I hosed. Here's something that
> > sticks out to me in the smart-proxy log (/tmp/proxy.log)
>
> > Failed to list certificates: Unable to find CA inventory file at /var/
> > lib/puppet/ssl/ca/inventory.txt
>
> Permissions? try adding the user which runs the proxy to the puppet group.
>
>
>
>
>
>
>
>
>
> > This file does exist and I do see all of my clients listed in the
> > file. In the meantime, I turned off SSL for my smart-proxy just to
> > reduce any 'extra complexity'.
>
> > --
> > You received this message because you are subscribed to the Google Groups
> > "Foreman users" group.
> > To post to this group, send email to foreman-users@googlegroups.com.
> > To unsubscribe from this group, send email to
> > foreman-users+unsubscribe@googlegroups.com.
> > For more options, visit this group at
> >http://groups.google.com/group/foreman-users?hl=en.
> Alright, I got this sorted out…
>
> Turns out I had duplicate certificate that was signed for my puppet
> master. Once I removed that cert things were good.
Could you explain a bit more? it does not make much sense to me…
in fact, you can have multiple certificates for your master (e.g. one CA
certificate and another puppet client certificate)…
···
On Mon, 2011-06-13 at 07:35 -0700, Luke Baker wrote:
Since upgrading to foreman 0.3 I’ve been having problems getting
puppetca + smart proxy to work. Prior to 0.3, everything was working
pretty smooth, so I’m not sure what I hosed. Here’s something that
sticks out to me in the smart-proxy log (/tmp/proxy.log)
Failed to list certificates: Unable to find CA inventory file at /var/
lib/puppet/ssl/ca/inventory.txt
Permissions? try adding the user which runs the proxy to the puppet group.
This file does exist and I do see all of my clients listed in the
file. In the meantime, I turned off SSL for my smart-proxy just to
reduce any ‘extra complexity’.
Well, I had a signed certificate for my puppetmaster - I also had
another signed certificate for the puppetmaster (the file name was
different). Once I deleted this certificate, 'things' just started
working. Not sure what was going on there.
···
On Jun 13, 9:38 am, Ohad Levy wrote:
> On Mon, 2011-06-13 at 07:35 -0700, Luke Baker wrote:
> > Alright, I got this sorted out..
>
> > Turns out I had duplicate certificate that was signed for my puppet
> > master. Once I removed that cert things were good.
>
> Could you explain a bit more? it does not make much sense to me...
> in fact, you can have multiple certificates for your master (e.g. one CA
> certificate and another puppet client certificate)...
>
>
>
>
>
>
>
>
>
> > On Jun 10, 1:00 am, Ohad Levy wrote:
> > > On Fri, Jun 10, 2011 at 6:47 AM, Luke Baker wrote:
> > > > Since upgrading to foreman 0.3 I've been having problems getting
> > > > puppetca + smart proxy to work. Prior to 0.3, everything was working
> > > > pretty smooth, so I'm not sure what I hosed. Here's something that
> > > > sticks out to me in the smart-proxy log (/tmp/proxy.log)
>
> > > > Failed to list certificates: Unable to find CA inventory file at /var/
> > > > lib/puppet/ssl/ca/inventory.txt
>
> > > Permissions? try adding the user which runs the proxy to the puppet group.
>
> > > > This file does exist and I do see all of my clients listed in the
> > > > file. In the meantime, I turned off SSL for my smart-proxy just to
> > > > reduce any 'extra complexity'.
>
> > > > --
> > > > You received this message because you are subscribed to the Google Groups
> > > > "Foreman users" group.
> > > > To post to this group, send email to foreman-users@googlegroups.com.
> > > > To unsubscribe from this group, send email to
> > > > foreman-users+unsubscribe@googlegroups.com.
> > > > For more options, visit this group at
> > > >http://groups.google.com/group/foreman-users?hl=en.
···
On Jun 16, 9:23 am, Luke Baker wrote:
> Well, I had a signed certificate for my puppetmaster - I also had
> another signed certificate for the puppetmaster (the file name was
> different). Once I deleted this certificate, 'things' just started
> working. Not sure what was going on there.
>
> On Jun 13, 9:38 am, Ohad Levy wrote:
>
>
>
>
>
>
>
> > On Mon, 2011-06-13 at 07:35 -0700, Luke Baker wrote:
> > > Alright, I got this sorted out..
>
> > > Turns out I had duplicate certificate that was signed for my puppet
> > > master. Once I removed that cert things were good.
>
> > Could you explain a bit more? it does not make much sense to me...
> > in fact, you can have multiple certificates for your master (e.g. one CA
> > certificate and another puppet client certificate)...
>
> > > On Jun 10, 1:00 am, Ohad Levy wrote:
> > > > On Fri, Jun 10, 2011 at 6:47 AM, Luke Baker wrote:
> > > > > Since upgrading to foreman 0.3 I've been having problems getting
> > > > > puppetca + smart proxy to work. Prior to 0.3, everything was working
> > > > > pretty smooth, so I'm not sure what I hosed. Here's something that
> > > > > sticks out to me in the smart-proxy log (/tmp/proxy.log)
>
> > > > > Failed to list certificates: Unable to find CA inventory file at /var/
> > > > > lib/puppet/ssl/ca/inventory.txt
>
> > > > Permissions? try adding the user which runs the proxy to the puppet group.
>
> > > > > This file does exist and I do see all of my clients listed in the
> > > > > file. In the meantime, I turned off SSL for my smart-proxy just to
> > > > > reduce any 'extra complexity'.
>
> > > > > --
> > > > > You received this message because you are subscribed to the Google Groups
> > > > > "Foreman users" group.
> > > > > To post to this group, send email to foreman-users@googlegroups.com.
> > > > > To unsubscribe from this group, send email to
> > > > > foreman-users+unsubscribe@googlegroups.com.
> > > > > For more options, visit this group at
> > > > >http://groups.google.com/group/foreman-users?hl=en.
> Hi Luke, Ohad
>
> I am also getting the same error message, if I execute the puppetca
> command from cmd line its not throwing any error.
>
> D, [2011-06-17T08:04:24.665421 #17248] DEBUG – : Found puppetca at /
> usr/sbin/puppetca
> D, [2011-06-17T08:04:24.665731 #17248] DEBUG – : Found sudo at /usr/
> bin/sudo
> D, [2011-06-17T08:04:24.665908 #17248] DEBUG – : Executing /usr/bin/
> sudo -S /usr/sbin/puppetca --list --all
> E, [2011-06-17T08:04:25.547190 #17248] ERROR – : Failed to list
> certificates: Unable to find CA inventory file at /var/lib/puppet/ssl/
> ca/inventory.txt
> ^C
> [root@testvm1 ~]# /usr/bin/sudo -S /usr/sbin/puppetca --list --all
> + centos.apnonline.co.nz (09:8E:0C:54:42:2A:36:3D:2D:0E:58:39:CA:9A:
> 6B:ED)
>
are you running your smart proxy as root? I'm guessing not…
as the proxy user, try to run both the sudo command and to see if you can
see the content of /var/lib/puppet/ssl/
ca/inventory.txt.
most likely you simply need to add the foreman-proxy account to the puppet
group.
···
On Thu, Jun 16, 2011 at 11:07 PM, Bency wrote:
Well, I had a signed certificate for my puppetmaster - I also had
another signed certificate for the puppetmaster (the file name was
different). Once I deleted this certificate, ‘things’ just started
working. Not sure what was going on there.
It was indeed a permission issue, your suggestion was right on the
money
···
On Jun 17, 5:14 pm, Ohad Levy wrote:
> On Thu, Jun 16, 2011 at 11:07 PM, Bency wrote:
> > Hi Luke, Ohad
>
> > I am also getting the same error message, if I execute the puppetca
> > command from cmd line its not throwing any error.
>
> > D, [2011-06-17T08:04:24.665421 #17248] DEBUG -- : Found puppetca at /
> > usr/sbin/puppetca
> > D, [2011-06-17T08:04:24.665731 #17248] DEBUG -- : Found sudo at /usr/
> > bin/sudo
> > D, [2011-06-17T08:04:24.665908 #17248] DEBUG -- : Executing /usr/bin/
> > sudo -S /usr/sbin/puppetca --list --all
> > E, [2011-06-17T08:04:25.547190 #17248] ERROR -- : Failed to list
> > certificates: Unable to find CA inventory file at /var/lib/puppet/ssl/
> > ca/inventory.txt
> > ^C
> > [root@testvm1 ~]# /usr/bin/sudo -S /usr/sbin/puppetca --list --all
> > + centos.apnonline.co.nz (09:8E:0C:54:42:2A:36:3D:2D:0E:58:39:CA:9A:
> > 6B:ED)
>
> are you running your smart proxy as root? I'm guessing not...
> as the proxy user, try to run both the sudo command and to see if you can
> see the content of /var/lib/puppet/ssl/
> ca/inventory.txt.
>
> most likely you simply need to add the foreman-proxy account to the puppet
> group.
>
>
>
>
>
>
>
>
>
> > Any help would be appreciated.
>
> > Thanks
> > Bency
>
> > On Jun 16, 9:23 am, Luke Baker wrote:
> > > Well, I had a signed certificate for my puppetmaster - I also had
> > > another signed certificate for the puppetmaster (the file name was
> > > different). Once I deleted this certificate, 'things' just started
> > > working. Not sure what was going on there.
>
> > > On Jun 13, 9:38 am, Ohad Levy wrote:
>
> > > > On Mon, 2011-06-13 at 07:35 -0700, Luke Baker wrote:
> > > > > Alright, I got this sorted out..
>
> > > > > Turns out I had duplicate certificate that was signed for my puppet
> > > > > master. Once I removed that cert things were good.
>
> > > > Could you explain a bit more? it does not make much sense to me...
> > > > in fact, you can have multiple certificates for your master (e.g. one
> > CA
> > > > certificate and another puppet client certificate)...
>
> > > > > On Jun 10, 1:00 am, Ohad Levy wrote:
> > > > > > On Fri, Jun 10, 2011 at 6:47 AM, Luke Baker > > wrote:
> > > > > > > Since upgrading to foreman 0.3 I've been having problems getting
> > > > > > > puppetca + smart proxy to work. Prior to 0.3, everything was
> > working
> > > > > > > pretty smooth, so I'm not sure what I hosed. Here's something
> > that
> > > > > > > sticks out to me in the smart-proxy log (/tmp/proxy.log)
>
> > > > > > > Failed to list certificates: Unable to find CA inventory file at
> > /var/
> > > > > > > lib/puppet/ssl/ca/inventory.txt
>
> > > > > > Permissions? try adding the user which runs the proxy to the puppet
> > group.
>
> > > > > > > This file does exist and I do see all of my clients listed in the
> > > > > > > file. In the meantime, I turned off SSL for my smart-proxy just
> > to
> > > > > > > reduce any 'extra complexity'.
>
> > > > > > > --
> > > > > > > You received this message because you are subscribed to the
> > Google Groups
> > > > > > > "Foreman users" group.
> > > > > > > To post to this group, send email to
> > foreman-users@googlegroups.com.
> > > > > > > To unsubscribe from this group, send email to
> > > > > > > foreman-users+unsubscribe@googlegroups.com.
> > > > > > > For more options, visit this group at
> > > > > > >http://groups.google.com/group/foreman-users?hl=en.
>
> > --
> > You received this message because you are subscribed to the Google Groups
> > "Foreman users" group.
> > To post to this group, send email to foreman-users@googlegroups.com.
> > To unsubscribe from this group, send email to
> > foreman-users+unsubscribe@googlegroups.com.
> > For more options, visit this group at
> >http://groups.google.com/group/foreman-users?hl=en.
